Critical Vulnerability in Cline Kanban Exposes AI Coding Agents to Hijacking

Severity: High (Score: 75.0)

Sources: Infosecurity-Magazine, www.oasis.security

Summary

A critical vulnerability (CVSS 9.7) in the Cline Kanban server allows any website a developer visits to silently exfiltrate workspace data and inject commands into the AI agent's terminal. This flaw affects version 0.1.59 of the Kanban npm package and arises from missing origin validation and authentication on WebSocket endpoints. The attack can occur without any user interaction, as malicious JavaScript on any webpage can exploit the vulnerability. This issue affects all developers using Cline's Kanban feature, potentially exposing sensitive data and allowing unauthorized command execution. Oasis Security reported the vulnerability to Cline, which has since released a patch in version 0.1.66. The incident highlights a broader systemic issue with localhost trust boundaries in AI coding platforms. Key Points: • Cline Kanban server vulnerability allows remote command injection via WebSocket. • Affected version is 0.1.59; patch available in version 0.1.66. • No user interaction required for exploitation, posing a significant risk to developers.

Key Entities

• Data Breach (attack_type)
• Bugcrowd (company)
• Oasis Security (company)
• CWE-287 - Improper Authentication (cwe)
• CWE-862 - Missing Authorization (cwe)
• T1041 - Exfiltration Over C2 Channel (mitre_attack)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1567.002 - Exfiltration to Cloud Storage (mitre_attack)
• JavaScript (tool)
• WebSocket (platform)